I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Scary le Poo@beehaw.org · 2 days ago

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Clent@lemmy.dbzer0.com · 1 day ago

How unique do you suppose file system paths are?

How many hashes would one need to gather to quickly determine the root path for all files? Paths are not random so guessing the path is just a rainbow table.

The scanning for known releases becomes trivial once the file system pattern is known.

i_am_not_a_robot@discuss.tchncs.de · 1 day ago

If the server is using a standard path prefix and a standard file layout and is using standard file names it isn’t that difficult to find the location of a media file and then from there it would be easier to find bore files, assuming the paths are consistent.

But even for low entropy strings, long strings are difficult to brute force, and rainbow tables are useless for this use case.

lazynooblet@lazysoci.al · 1 day ago

I’ve not looked but if the video id is based on its path, then surely the path includes the filename no? You can’t split a hash into its separate original parts, you either guess the entire thing or not. So in that case, the hash is going to challenging to brute force.

i_am_not_a_robot@discuss.tchncs.de · 1 day ago

It’s not that challenging if you are looking for specific media files, but if you wanted to enumerate the files on a server it’s basically impossible.

Saik0@lemmy.saik0.com · 21 hours ago

but if you wanted to enumerate the files on a server it’s basically impossible.

Well lets say your a big movie studio… In the past 10 years you’ve released 40-50 movies. You pay some lawfirm to go out and find illegal copies of your movies.

Those 40-50 movies * 1000 or 10000 common paths/names makes you a nice table of likely candidates. Prehash that table in MD5. It doesn’t take all that much effort to “enumerate” all the movies that your studio cares about. 50000 http requests is childs play and you can scan a public server within minutes for your list.

Fully bruteforcing the thing… yeah that’s ridiculous. But I don’t think that people are naming bigbucksbunny.mkv as Rp23GXTHp4GN7P6j86HjRdxtfSKKAArj.mkv. So it’s not like we’re looking for “random” or “all” files anyway.

I don’t think anyone was ever saying that the risk here is full enumeration. Though it is technically possible with sufficient time… just will take a lot of time.

i_am_not_a_robot@discuss.tchncs.de · 15 hours ago

That is possible, but I don’t think you need to worry about that. Having a copy of a movie is not normally itself a crime.

Saik0@lemmy.saik0.com · 11 hours ago

Having it publicly accessible on a web server is distribution. And that normally IS a crime unless you have some licenses to do so.

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Collection of potential security issues in Jellyfin · Issue #5415 · jellyfin/jellyfin